The Billion-Dollar Quest to Eliminate Smart Contract Bugs

You can’t have software without bugs. Every major piece of code is subject to extensive debugging, which is an inevitable part of the development process. But when that code controls digital assets worth millions of dollars, ensuring it’s free of critical errors isn’t just desirable – it’s imperative. As this week’s Bancor hack and this year’s spate of smaller smart contract fails has shown, creating bug-free code is virtually impossible.

Bugs Have Cost a Lot of People a Lot of Crypto

Cryptocurrencies, even those that don’t permit smart contracts, are susceptible to bugs. Even bitcoin, the benchmark by which other coins are measured, has had its share, like the overflow bug in 2010 that created 180 billion bitcoins in block 74638. It was quickly fixed though without anyone gaining or losing coins. Ethereum users haven’t always been so lucky. Incidents such as the DAO, Parity, and most recently Bancor, whose $12.5 million loss has been attributed to a permissioned backdoor in their smart contract, have pushed the amount of crypto lost to coding errors towards $1 billion.

As a turing complete blockchain, the Ethereum Virtual Machine can be used to enact smart contracts that use extremely sophisticated logic. The trouble is, the more complex that logic, the greater the likelihood of an exploitable bug creeping in. Solidity, the main language used to code Ethereum smart contracts, is notoriously tricky to master. The smart contract-enabled blockchains that have since emerged have been intent on eliminating such mistakes. This entails moving away from Solidity, and often from turing completeness, in favor of a more restrictive system with less margin for error.

How New Blockchains Are Approaching Smart Contracts

At Blockchain Expo in Amsterdam, news.Bitcoin.com spoke with Jordan Andrews, Smart Contracts Lead at Stratis. Their platform uses C#, which has been favored because it provides access to “so many tools like decompilers, great editors, a cohesive testing and debugging deployment suite in Visual Studio. What this means is you can decompile any contract from the bytecode to real C#,” explained Jordan. He contrasts this with Solidity which is in “a delicate developmental stage, where you can’t actually decompile many contracts well. The fact that you can audit only around 1% of contracts on Ethereum is a problem, because basically, the decompilers don’t work.”

While Stratis is largely focused on enterprise adoption, other blockchains are gunning for Ethereum, but have yet to reach a state of readiness where they can lay a glove on the cryptoverse’s de facto smart contract platform. Tezos will use formal verification for its smart contracts in the form of Michelson, a simplistic programming language that prizes security over multi-functionality. As a result, it should be harder for coders to create arbitrary programs, which in turn means it should be harder for them to introduce fatal flaws.

Stellar provides limited smart contract abilities to cover such matters as multi-sig, batching and time bounds. Cardano’s smart contracts must be formally verified to ensure they’re free of bugs and run using a virtual machine called IELE. EOS smart contracts are deployed as pre-compiled Web Assembly using C/C++. Like Cardano and Tezos, EOS is still at an early stage in its development, with just a handful of developers building upon its protocol. Ethereum, in comparison, can count 35,000 Solidity developers, and thus remains the web’s preeminent smart contract blockchain.

Formal Verification Will Reduce Errors

Stratis’ Jordan Andrews is confident that increased adoption of formal verification will make smart contracts less vulnerable: “I think the ecosystem for both [Stratis] and Solidity is going to see so many improvements. One thing that comes up a lot now is formal verification, the idea that you can verify that a contract is going to behave. This is obviously a big thing…Stratis are gonna have the potential to do that, and I know that they’re looking into it with Ethereum as well.”

As blockchain technology permeates every industry, the role smart contracts play in executing decisions will increase dramatically. In the process, computer code will go from controlling hundreds of millions to billions of dollars of digital assets. Eliminating bugs is essential if smart contracts are to become a part of everyday business. Before that happens, costly errors caused by further flaws are inevitable. Ethereum’s smart contract bugs are already out there. It’s just a case of who finds them first: whitehat or black.

Do you think smart contract bugs will ever be completely eradicated? Let us know in the comments section below.